SOA Security Solutions: Four Patterns to Grow On

How can you combine diverse products into an SOA security solution for today's needs as well as leave a path for tomorrow's demands? Forrester's Randy Heffner shares four broad solution patterns.

By Randy Heffner
Wed, November 04, 2009

The simplest and most common approach to security for service-oriented architecture (SOA) is to route service requests over a virtual private network (VPN). This provides adequate security for simple, coarse-grained requirements, it works with SOAP, REST, and non-Web services protocols, and it is adequate even for many external integration scenarios. Yet not all security scenarios are simple, and for more complex needs and fine-grained SOA security, architects must do considerably more planning and design. To craft a comprehensive strategy and architecture for SOA security, architects must consider a wide diversity of security requirements, business scenarios, and application infrastructure, weaving together multiple products, standards, and custom-built components into a flexible and robust SOA security solution.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

At least 10 product categories can play a part in SOA security architecture, and there are major areas of functional overlap among them. The building-block structure of SOA and Web services security specifications means architects must plan carefully for which specifications they will use and when to use them. Business scenarios with different security requirements may require different combinations of specifications and products. Adding even further to the complexity, the standards and specifications are still maturing, so there is little industry experience with best practices for many of the specifications. Architects may face additional challenges including divergent SOA infrastructure, multiple SOA messaging exchange patterns, the need to federate security across multiple environments, and the need to propagate identity across layers as one service calls another. This is not to mention common issues like organizational friction, cost, and difficulties with architecture governance.

Because of these complexities, few can afford to invest upfront to build a complete and comprehensive SOA security solution that addresses all future requirements, which means that architects final challenge is to evolve a comprehensive solution over time. To assist in pursuing an incremental approach, here is a continuum of four broad solution patterns that show how to combine diverse products into an SOA security solution for today's needs as well as how today's solution can leave a path open for tomorrow's needs.

Scenario No. 1: Simple VPN Provides A Basic Solution In A Short Time

As a common starting point, some SOA users have immediate scenarios that require them to quickly find an acceptable — even if suboptimal — SOA security solution. In these scenarios, SOA requests and responses are secured using only transport-level security. With SOAP and REST, this is typically accomplished via two-way secure socket layer (SSL). With VPN connections, even requests over the public Internet are confidential and secure. Often, simple VPN approaches use implicit authorization: Any request that comes in over the VPN is allowed to access the available services. Although a simple VPN can support identification of individual users, this is rare because of the administrative overhead of managing certificates for every user. A simple VPN is often configured as a direct transport-level connection between the service consumer's platform and the service platform, which may be either an application server or a simple Web server environment. In a Forrester survey, two-thirds of SOA users said that using only a simple VPN is an important option in their SOA security arsenal.

1 2 3 next page »

You are here: Applications » Expert View

Most Recent Applications Stories

White Papers »

Accelerate time to application value

For your IT organization to keep pace with the business, you need a new, faster approach to infrastructure deployment-an approach that increases agility and accelerates time to application value. That's HP Converged Systems. Built on Converged Infrastructure, these systems deliver the industry's first portfolio of pre-integrated, tested, and optimized infrastructure solutions for applications running in virtual, cloud, dedicated, or hybrid environments.

Top 10 Myths About Virtualizing Business-Critical Applications

Even though virtualization has brought positive change to enterprise IT over the last decade, some skepticism remains about how valuable virtualization can be in the way companies deliver and run business applications. Uncover the truth about how you can run your business critical applications with confi dence without sacrifi cing
availability or service quality-and at lower costs.

The Hidden Truth About Virtualizing Business-Critical Applications

This IDG whitepaper highlights key findings based on the Quickpoll Survey conducted with more than 300 Enterprise and Commercial IT decision makers worldwide about the state of their virtualization of business critical applications. This paper answers such questions as: What drivers are pushing companies to extend virtualization beyond servers? and What value are they realizing? Central to the paper are key results that expose risks of the past (fears of limited ISV support, performance impact) no longer are a factor for companies moving to 80+% virtualized.

Enterprise Java Applications on VMware: Unix to Linux Migration Guide

This guide focuses on key considerations for IT Architects who are in the process of migrating Java applications from UNIX to Linux as part of their VMware server consolidation project.

Virtualizing Tier 1 Applications: A Critical Step on the Journey Toward the Private Cloud

This IDC white paper explains how much of the Enterprise IT community is at a crossroads in extending their journey to the private cloud: Companies must virtualize their business critical applications in order to reap the benefits of cloud computing. The paper also includes two case studies and a sidebar highlighting the experiences of three enterprises with virtualizing their business-critical applications, which include Oracle and Microsoft SQL databases, SAP and enterprise Java, and a Microsoft Exchange email system.

Best Practices Guide: Microsoft Exchange 2010 on VMware

This guide provides best practice guidelines for deploying Exchange Server 2010 on vSphere.

Webcasts »

Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere

Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as support considerations

Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere

Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and disaster recovery and support considerations.

Virtualize Business-Critical Applications with Confidence

Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere® 5, VMware is helping customers accelerate the deployment of business-critical applications, including Exchange, SQL, SAP and Oracle.

Discover the Benefits of Virtualization for Federal Applications

Want to say goodbye to missed SLAs? VMware can help you virtualize mission-critical applications such as Oracle, MS Exchange and SharePoint to achieve dramatic improvements in uptime, performance and responsiveness. In this webcast, we'll discuss the key benefits of virtualizing your agency's most critical applications and Oracle databases as a necessary first step in fulfilling OMB's mandate to move IT services to the cloud. With VMware, you'll be on the way to quick, effective and full compliance.

When Java EE Is Overkill: Lightweight Application Server Benefits

The complexity, cost and technological bloat of traditional Java EE application servers are often barriers to running a lean and efficient IT organization. Increased need for scalability and rapid application delivery are driving businesses to reconsider the platform they use for application deployment. By combining the portability and agility of the Spring framework with a lightweight application server, your organization can meet business demands while staying within budget constraints. VMware vFabric™ tc Server is a modern, lightweight Java application server based on Apache Tomcat. It improves developer productivity, control and manageability-and is the most flexible platform for virtualizing Java applications and workloads for the cloud. View this webcast to learn about real-world examples of companies that have adopted VMware vFabric tc Server and how to plan for future cloud deployments.

Introduction to VMware vCenter Site Recovery Manager 5

Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to expand disaster protection beyond their most critical applications, largely because they are uncertain whether the quality of the protection is really worth its cost. VMware vCenter™ Site Recovery Manager 5 is the market-leading disaster recovery product that addresses this situation for organizations of all kinds. It complements VMware vSphere to ensure the simplest and most reliable disaster protection for all virtualized applications.

Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter